The Statement of Applicability which you can assess through the dashboard is a critical part of your information security management system. For your information, this is one of the most important documents that you need for your ISO 27001 certification. The SoA main task is to state what ISO 27001 controls and policies are being implemented by the enterprise to protect the valuable information and its facilities. This is why it is an integral part of the ISO 27001 documentation which is related to the security of the information of an organization.
Why SoA is needed?
Once you have completed the risk assessment report, you need to define some controls which will tackle those risks. Those controls are listed in another document which is termed as the Statement of Applicability and some of the reasons why it is necessary are:
Steps to Develop ISO 27001Statement of Applicability
If you are a new person using the ISO Manager software and thinking of how to develop the ISO 27001 risk assessment along with the Statement of Accountability, then you are at the right place. The given below steps will help you how to perform the whole tasks.
Understanding the controls and their inclusion process
The first involves knowing how many controls and which of those controls will be included in your SoA. However, according to the data present in the IT Governance, there are around 114 entries present in SoA which can become part of the controls.
Identification and Analysis of Risks
You would have to work with your team in exploring the controls and also to identify all the possible risks. Keep an eye on all those risks which can affect the confidentiality, integrity and availability of any asset of your ISMS. Once the risks are identified, you need to see how they might occur and could affect your information.
Choose the controls to tackle the risks
According to the ISO 27001, there are four ways which are recommended to treat risks, and that is:
Developing a Risk Treatment Plan
You need to produce risk treatment plans so that after the identification of the risks, your organization is in a state to reach the happenings. Moreover, they would feel ready with a proper timeline and the resources that they will use to protect the ISMS.
Providing a Controls List
The SoA will need a list of all the controls which are recommended by Annex A and through that control, it will be seen what has been applied and what is left.
Maintain your Statement of Applicability.
SoA is not a static document and it will keep on changing depending on the need and working of your business. Moreover, it relies on the security issues and the standard set forth by the ISO, and ISO is always improving the SoA and controls to provide better security to the ISMS.